cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
837
Views
4
Helpful
3
Replies

Size Cutoff For Virtual PANs?

alkirk
Level 1
Level 1

I'm in the final stages of sizing for an enterprise/large ISE project, and have already settled on a 2 data center deployment with a pair of physical 3595 PSNs at each site, a single physical 3595 MNT at each site, and a single 3595-scale PAN at each site, to provide failover in the the event that an entire data center goes down for a 50K user deployment. Customer has specifically asked why he shouldn't virtualize his PANs, and wants details of why not if we suggest sticking to physical devices.

Reading http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_… the official answer from Cisco appears to be that as long as a virtual environment is properly validated and has appropriately reserved hardware we can scale up to the same performance as a 3595. Unofficially do we stand by that document, or is there a deployment size beyond which we always recommend physical appliances instead of virtual?

Craig, Hsing, if either of you see this it's the same eval you've been providing awesome assistance with. :-)

1 Accepted Solution

Accepted Solutions

Customers should always plan on deploying full resources with resource reservations.  It is only in a few cases that we come across customers with dedicated virtual appliance team that fully understands the requirements of ISE nodes and is able to continuously monitor and quickly respond to any resource shortages that can impact the node scaling and performance.  IF there is an issue discovered in resource allocation, often customers do not have adequate resources to augment the existing VMs without moving VMs to other hardware or adding capacity to existing hardware. With such a critical service now being impacted, it is not uncommon to shift blame to Cisco for allowing them to assume the risk.  It is a fine line and so we always caution and promote customers to deploy full and dedicated resources to the VMs up front so not stuck in a bind later as deployment grows.  However, for the customers that are fully prepared and staffed to monitor and adjust dynamically to the requirements, we do allow them to start with lesser allocations.

Craig

View solution in original post

3 Replies 3

hslai
Cisco Employee
Cisco Employee

Yes, we do support our official documentation. chyps also talked about it in his various speaking engagements.

Customers should always plan on deploying full resources with resource reservations.  It is only in a few cases that we come across customers with dedicated virtual appliance team that fully understands the requirements of ISE nodes and is able to continuously monitor and quickly respond to any resource shortages that can impact the node scaling and performance.  IF there is an issue discovered in resource allocation, often customers do not have adequate resources to augment the existing VMs without moving VMs to other hardware or adding capacity to existing hardware. With such a critical service now being impacted, it is not uncommon to shift blame to Cisco for allowing them to assume the risk.  It is a fine line and so we always caution and promote customers to deploy full and dedicated resources to the VMs up front so not stuck in a bind later as deployment grows.  However, for the customers that are fully prepared and staffed to monitor and adjust dynamically to the requirements, we do allow them to start with lesser allocations.

Craig

The issue around reservations is something that was already on my  mind with this account, and you're the third person who's agreed with this stance this morning, so I'm going to message to the customer that it can be done, but dedicated hardware takes the complexity out of working with different teams within the organization.

Thanks very much for the quick confirmation here!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: